PHPackages thisispiers/xss-escape - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. thisispiers/xss-escape ActiveLibrary thisispiers/xss-escape ====================== A PHP implementation of OWASP Cross Site Scripting Prevention Cheat Sheet 1.0.2(1y ago)160LGPL-3.0-onlyPHPPHP >=7.1 Since Jun 5Pushed 1y ago1 watchersCompare [ Source](https://github.com/thisispiers/xss-escape)[ Packagist](https://packagist.org/packages/thisispiers/xss-escape)[ RSS](/packages/thisispiers-xss-escape/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (3)DependenciesVersions (4)Used By (0) \\thisispiers\\Xss\\Escape ========================== [](#thisispiersxssescape) A PHP implementation of [OWASP's Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) Released under LGPL v3.0. Requires PHP >= 7.1 and mbstring extension Install with Composer `composer require thisispiers/xss-escape` Usage ----- [](#usage) Untrusted data should be encoded differently depending on context. This library provides a static method for each context. ### Text in HTML Body [](#text-in-html-body) i.e. `UNTRUSTED DATA` ``` htmlBody(mixed $untrusted_data): string ``` `$untrusted_data` is cast to string ### HTML in HTML body [](#html-in-html-body) i.e. `UNTRUSTED HTML` Use a full HTML validator in this context, such as [HTML Purifier](https://github.com/ezyang/htmlpurifier) or [DOMPurify](https://github.com/cure53/DOMPurify) ### Safe HTML attributes [](#safe-html-attributes) i.e. `` ``` htmlAttr(string $attr, mixed $untrusted_data, bool $wrap = true): string ``` `$attr` must be one of - align - alink - alt - bgcolor - border - cellpadding - cellspacing - class - color - cols - colspan - coords - dir - face - height - href (see [URLs](#URLs)) - hspace - ismap - lang - marginheight - marginwidth - multiple - nohref - noresize - noshade - nowrap - ref - rel - rev - rows - rowspan - scrolling - shape - span - src (see [URLs](#URLs)) - summary - tabindex - title - usemap - valign - value - vlink - vspace - width `$untrusted_data` is cast to string If `$wrap` is `true`, the returned string is prefixed by a space, the attribute name, an equal sign and wrapped in double quote marks i.e. ` value="ENCODED DATA"`. ### URLs [](#urls) URLs in `src` or `href` HTML attributes i.e. `` or `link` ``` validateUrl(mixed $untrusted_data): bool ``` `$untrusted_data` is cast to string Untrusted URLs are currently only checked to be HTTPS. This is a crude check to avoid becoming a full URL parsing library. It is highly recommended that you run more sophisticated validation on your untrusted URLs, such as rejecting URLs by hostname. ### JavaScript variables [](#javascript-variables) i.e. `var someValue='UNTRUSTED DATA';` or `someFunction('UNTRUSTED DATA');` ``` jsVar(mixed $untrusted_data): string ``` `$untrusted_data` is cast to string ### CSS values [](#css-values) i.e. `` ``` cssValue(mixed $untrusted_data): string ``` `$untrusted_data` is cast to string ### URL parameters [](#url-parameters) i.e. `link` ``` urlParam(mixed $untrusted_data): string ``` `$untrusted_data` is cast to string ### JSON in HTML [](#json-in-html) ``` jsonInHtml(mixed $untrusted_data): string ``` `$untrusted_data` is cast to string Output JSON inside a hidden element before calling `JSON.parse` e.g. ``` var data = JSON.parse(document.getElementById('data').textContent); ``` Contributing & Help ----------------------- [](#contributing--help) Don't expect frequent updates, but pull requests for security and performance improvements are welcome! There is no guarantee this library complies with the latest OWASP cheat sheet recommendations. Create an issue if you think it's out of date, or start a pull request. To save keystrokes, you might want to create an alias for this class e.g. `class_alias('\\thisispiers\Xss\\Escape', '\\esc');` ### Health Score 26 — LowBetter than 43% of packages Maintenance34 Infrequent updates — may be unmaintained Popularity11 Limited adoption so far Community7 Small or concentrated contributor base Maturity45 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~403 days Total 3 Last Release 628d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/b3cfa54a75562ce8d09c7718c05c5573f45cee8125e56e3c6a682aeb2141150b?d=identicon)[thisispiers](/maintainers/thisispiers) --- Top Contributors [![thisispiers](https://avatars.githubusercontent.com/u/1831251?v=4)](https://github.com/thisispiers "thisispiers (7 commits)") ### Embed Badge ![Health badge](/badges/thisispiers-xss-escape/health.svg) ``` [![Health](https://phpackages.com/badges/thisispiers-xss-escape/health.svg)](https://phpackages.com/packages/thisispiers-xss-escape) ``` PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)